diff options
| author | drochner <drochner> | 2013-09-11 18:00:33 +0000 |
|---|---|---|
| committer | drochner <drochner> | 2013-09-11 18:00:33 +0000 |
| commit | 219f4dd8cad6dfc630cdb8bf5125f567f443ea69 (patch) | |
| tree | 7de12a563188e3f585d8d3cf96bbe3182e22ca92 /sysutils/xenkernel41 | |
| parent | c797798dd8f072d14dde26951cae608283182dc3 (diff) | |
| download | pkgsrc-219f4dd8cad6dfc630cdb8bf5125f567f443ea69.tar.gz | |
update to 4.1.6.1
This release fixes the following critical vulnerabilities:
CVE-2013-1918 / XSA-45: Several long latency operations are not
preemptible
CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw
for bridges
CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs
CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception
recovery on XRSTOR
CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception
recovery on XSETBV
CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple
vulnerabilities in libelf PV kernel handling
CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings
affecting xend
CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive
console related xenstore keys
CVE-2013-1432 / XSA-58: Page reference counting error due to
XSA-45/CVE-2013-1918 fixes
XSA-61: libxl partially sets up HVM passthrough even with disabled iommu
This release contains many bug fixes and improvements. The highlights are:
addressing a regression from the fix for XSA-21
addressing a regression from the fix for XSA-46
bug fixes to low level system state handling, including certain
hardware errata workarounds
(CVE-2013-1918 and CVE-2013-1952 were patched in pkgsrc before)
Diffstat (limited to 'sysutils/xenkernel41')
18 files changed, 11 insertions, 1206 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index b0401c6e002..f11f601bc68 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.23 2013/06/19 14:03:41 gdt Exp $ +# $NetBSD: Makefile,v 1.24 2013/09/11 18:00:33 drochner Exp $ # -VERSION= 4.1.5 +VERSION= 4.1.6.1 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 1 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index 26e5642a2d1..75b76494d69 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,27 +1,12 @@ -$NetBSD: distinfo,v 1.18 2013/07/13 19:43:21 joerg Exp $ +$NetBSD: distinfo,v 1.19 2013/09/11 18:00:33 drochner Exp $ -SHA1 (xen-4.1.5.tar.gz) = 38f098cdbcf4612a6e059e6ad332e68bbfc8bf4d -RMD160 (xen-4.1.5.tar.gz) = 265d6a9faee6cf9314f4ed647604f7b43c327f52 -Size (xen-4.1.5.tar.gz) = 10421420 bytes -SHA1 (patch-CVE-2013-1918_1) = 7403c3cc0b6481edf581591885843ee24154da06 -SHA1 (patch-CVE-2013-1918_10) = 3aa6a519013fa3275ad389533e9ebcf0f29e24b7 -SHA1 (patch-CVE-2013-1918_11) = 57ddcc8afcab390a1ac027a6a063677c89310662 -SHA1 (patch-CVE-2013-1918_12) = 3d768316139ea189219de4dff13fc1190fbe27a2 -SHA1 (patch-CVE-2013-1918_13) = bccb34626942b17ed0097977d5a16adcf7acd746 -SHA1 (patch-CVE-2013-1918_2) = b5a5ddf9549ba4064f587fa6769730158a165bd6 -SHA1 (patch-CVE-2013-1918_3) = bd6b95c3c359638f1cb95bb9b4119836cb421fea -SHA1 (patch-CVE-2013-1918_4) = e6e6648cdf81e543f5c410b1083b97bdd9a08ea6 -SHA1 (patch-CVE-2013-1918_5) = 0bc2755b024d14d53e83b47621f6a550538b5347 -SHA1 (patch-CVE-2013-1918_6) = 027711424053ebae1093ff7d4be2353113612b5c -SHA1 (patch-CVE-2013-1918_7) = 77414ec5283278433a15a96e91ed5842326370b9 -SHA1 (patch-CVE-2013-1918_8) = 1abd13678a24365ab651483fb3e3feeb2c0248ce -SHA1 (patch-CVE-2013-1918_9) = 28a34dda25693501c78043f550009dba53fa9e62 -SHA1 (patch-CVE-2013-1952) = b8976b41cc0520993f3c424030f7c9aa8a9be1f3 +SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 +RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 +Size (xen-4.1.6.1.tar.gz) = 10428485 bytes SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b -SHA1 (patch-xen_arch_x86_time.c) = 2dedd8ea1d372ecffea70aad448756dd3688cfba -SHA1 (patch-xen_common_libelf_libelf-private.h) = c364d8f247342c62d0d32fe9f4714f83f977719a +SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_1 deleted file mode 100644 index 0fa7d8e3a41..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_1 +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_1,v 1.1 2013/05/03 16:48:37 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-announce/2013-05/msg00000.html - ---- xen/include/xen/domain.h.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/include/xen/domain.h -@@ -15,7 +15,7 @@ struct vcpu *alloc_vcpu( - int boot_vcpu( - struct domain *d, int vcpuid, vcpu_guest_context_u ctxt); - struct vcpu *alloc_dom0_vcpu0(void); --void vcpu_reset(struct vcpu *v); -+int vcpu_reset(struct vcpu *); - - struct xen_domctl_getdomaininfo; - void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info); -@@ -57,7 +57,7 @@ void arch_dump_vcpu_info(struct vcpu *v) - - void arch_dump_domain_info(struct domain *d); - --void arch_vcpu_reset(struct vcpu *v); -+int arch_vcpu_reset(struct vcpu *); - - bool_t domctl_lock_acquire(void); - void domctl_lock_release(void); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_10 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_10 deleted file mode 100644 index 19b55bf7a0f..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_10 +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_10,v 1.1 2013/05/03 16:48:37 drochner Exp $ - ---- xen/arch/x86/traps.c.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/arch/x86/traps.c -@@ -2317,8 +2317,15 @@ static int emulate_privileged_op(struct - rc = new_guest_cr3(gmfn_to_mfn(v->domain, compat_cr3_to_pfn(*reg))); - #endif - domain_unlock(v->domain); -- if ( rc == 0 ) /* not okay */ -+ switch ( rc ) -+ { -+ case 0: -+ break; -+ case -EAGAIN: /* retry after preemption */ -+ goto skip; -+ default: /* not okay */ - goto fail; -+ } - break; - - case 4: /* Write CR4 */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_11 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_11 deleted file mode 100644 index 2613b5873e5..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_11 +++ /dev/null @@ -1,261 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_11,v 1.1 2013/05/03 16:48:37 drochner Exp $ - ---- xen/arch/x86/domain.c.orig 2013-05-03 13:27:23.000000000 +0000 -+++ xen/arch/x86/domain.c -@@ -70,8 +70,6 @@ void (*dead_idle) (void) __read_mostly = - static void paravirt_ctxt_switch_from(struct vcpu *v); - static void paravirt_ctxt_switch_to(struct vcpu *v); - --static void vcpu_destroy_pagetables(struct vcpu *v); -- - static void continue_idle_domain(struct vcpu *v) - { - reset_stack_and_jump(idle_loop); -@@ -678,6 +676,7 @@ int arch_set_info_guest( - { - struct domain *d = v->domain; - unsigned long cr3_pfn = INVALID_MFN; -+ struct page_info *cr3_page; - unsigned long flags, cr4; - int i, rc = 0, compat; - -@@ -817,72 +816,103 @@ int arch_set_info_guest( - if ( rc != 0 ) - return rc; - -+ set_bit(_VPF_in_reset, &v->pause_flags); -+ - if ( !compat ) -- { - cr3_pfn = gmfn_to_mfn(d, xen_cr3_to_pfn(c.nat->ctrlreg[3])); -+#ifdef __x86_64__ -+ else -+ cr3_pfn = gmfn_to_mfn(d, compat_cr3_to_pfn(c.cmp->ctrlreg[3])); -+#endif -+ cr3_page = mfn_to_page(cr3_pfn); - -- if ( !mfn_valid(cr3_pfn) || -- (paging_mode_refcounts(d) -- ? !get_page(mfn_to_page(cr3_pfn), d) -- : !get_page_and_type(mfn_to_page(cr3_pfn), d, -- PGT_base_page_table)) ) -- { -- destroy_gdt(v); -- return -EINVAL; -- } -+ if ( !mfn_valid(cr3_pfn) || !get_page(cr3_page, d) ) -+ { -+ cr3_page = NULL; -+ rc = -EINVAL; -+ } -+ else if ( paging_mode_refcounts(d) ) -+ /* nothing */; -+ else if ( cr3_page == v->arch.old_guest_table ) -+ { -+ v->arch.old_guest_table = NULL; -+ put_page(cr3_page); -+ } -+ else -+ { -+ /* -+ * Since v->arch.guest_table{,_user} are both NULL, this effectively -+ * is just a call to put_old_guest_table(). -+ */ -+ if ( !compat ) -+ rc = vcpu_destroy_pagetables(v); -+ if ( !rc ) -+ rc = get_page_type_preemptible(cr3_page, -+ !compat ? PGT_root_page_table -+ : PGT_l3_page_table); -+ if ( rc == -EINTR ) -+ rc = -EAGAIN; -+ } - -+ if ( rc ) -+ /* handled below */; -+ else if ( !compat ) -+ { - v->arch.guest_table = pagetable_from_pfn(cr3_pfn); - - #ifdef __x86_64__ - if ( c.nat->ctrlreg[1] ) - { - cr3_pfn = gmfn_to_mfn(d, xen_cr3_to_pfn(c.nat->ctrlreg[1])); -+ cr3_page = mfn_to_page(cr3_pfn); - -- if ( !mfn_valid(cr3_pfn) || -- (paging_mode_refcounts(d) -- ? !get_page(mfn_to_page(cr3_pfn), d) -- : !get_page_and_type(mfn_to_page(cr3_pfn), d, -- PGT_base_page_table)) ) -+ if ( !mfn_valid(cr3_pfn) || !get_page(cr3_page, d) ) - { -- cr3_pfn = pagetable_get_pfn(v->arch.guest_table); -- v->arch.guest_table = pagetable_null(); -- if ( paging_mode_refcounts(d) ) -- put_page(mfn_to_page(cr3_pfn)); -- else -- put_page_and_type(mfn_to_page(cr3_pfn)); -- destroy_gdt(v); -- return -EINVAL; -+ cr3_page = NULL; -+ rc = -EINVAL; -+ } -+ else if ( !paging_mode_refcounts(d) ) -+ { -+ rc = get_page_type_preemptible(cr3_page, PGT_root_page_table); -+ switch ( rc ) -+ { -+ case -EINTR: -+ rc = -EAGAIN; -+ case -EAGAIN: -+ v->arch.old_guest_table = -+ pagetable_get_page(v->arch.guest_table); -+ v->arch.guest_table = pagetable_null(); -+ break; -+ } - } - -- v->arch.guest_table_user = pagetable_from_pfn(cr3_pfn); -+ if ( !rc ) -+ v->arch.guest_table_user = pagetable_from_pfn(cr3_pfn); - } - else if ( !(flags & VGCF_in_kernel) ) - { -- destroy_gdt(v); -- return -EINVAL; -+ cr3_page = NULL; -+ rc = -EINVAL; - } - } - else - { - l4_pgentry_t *l4tab; - -- cr3_pfn = gmfn_to_mfn(d, compat_cr3_to_pfn(c.cmp->ctrlreg[3])); -- -- if ( !mfn_valid(cr3_pfn) || -- (paging_mode_refcounts(d) -- ? !get_page(mfn_to_page(cr3_pfn), d) -- : !get_page_and_type(mfn_to_page(cr3_pfn), d, -- PGT_l3_page_table)) ) -- { -- destroy_gdt(v); -- return -EINVAL; -- } -- - l4tab = __va(pagetable_get_paddr(v->arch.guest_table)); - *l4tab = l4e_from_pfn( - cr3_pfn, _PAGE_PRESENT|_PAGE_RW|_PAGE_USER|_PAGE_ACCESSED); - #endif - } -+ if ( rc ) -+ { -+ if ( cr3_page ) -+ put_page(cr3_page); -+ destroy_gdt(v); -+ return rc; -+ } -+ -+ clear_bit(_VPF_in_reset, &v->pause_flags); - - if ( v->vcpu_id == 0 ) - update_domain_wallclock_time(d); -@@ -904,17 +934,16 @@ int arch_set_info_guest( - #undef c - } - --void arch_vcpu_reset(struct vcpu *v) -+int arch_vcpu_reset(struct vcpu *v) - { - if ( !is_hvm_vcpu(v) ) - { - destroy_gdt(v); -- vcpu_destroy_pagetables(v); -- } -- else -- { -- vcpu_end_shutdown_deferral(v); -+ return vcpu_destroy_pagetables(v); - } -+ -+ vcpu_end_shutdown_deferral(v); -+ return 0; - } - - /* -@@ -1917,63 +1946,6 @@ static int relinquish_memory( - return ret; - } - --static void vcpu_destroy_pagetables(struct vcpu *v) --{ -- struct domain *d = v->domain; -- unsigned long pfn; -- --#ifdef __x86_64__ -- if ( is_pv_32on64_vcpu(v) ) -- { -- pfn = l4e_get_pfn(*(l4_pgentry_t *) -- __va(pagetable_get_paddr(v->arch.guest_table))); -- -- if ( pfn != 0 ) -- { -- if ( paging_mode_refcounts(d) ) -- put_page(mfn_to_page(pfn)); -- else -- put_page_and_type(mfn_to_page(pfn)); -- } -- -- l4e_write( -- (l4_pgentry_t *)__va(pagetable_get_paddr(v->arch.guest_table)), -- l4e_empty()); -- -- v->arch.cr3 = 0; -- return; -- } --#endif -- -- pfn = pagetable_get_pfn(v->arch.guest_table); -- if ( pfn != 0 ) -- { -- if ( paging_mode_refcounts(d) ) -- put_page(mfn_to_page(pfn)); -- else -- put_page_and_type(mfn_to_page(pfn)); -- v->arch.guest_table = pagetable_null(); -- } -- --#ifdef __x86_64__ -- /* Drop ref to guest_table_user (from MMUEXT_NEW_USER_BASEPTR) */ -- pfn = pagetable_get_pfn(v->arch.guest_table_user); -- if ( pfn != 0 ) -- { -- if ( !is_pv_32bit_vcpu(v) ) -- { -- if ( paging_mode_refcounts(d) ) -- put_page(mfn_to_page(pfn)); -- else -- put_page_and_type(mfn_to_page(pfn)); -- } -- v->arch.guest_table_user = pagetable_null(); -- } --#endif -- -- v->arch.cr3 = 0; --} -- - int domain_relinquish_resources(struct domain *d) - { - int ret; -@@ -1992,7 +1964,9 @@ int domain_relinquish_resources(struct d - for_each_vcpu ( d, v ) - { - /* Drop the in-use references to page-table bases. */ -- vcpu_destroy_pagetables(v); -+ ret = vcpu_destroy_pagetables(v); -+ if ( ret ) -+ return ret; - - /* - * Relinquish GDT mappings. No need for explicit unmapping of the diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_12 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_12 deleted file mode 100644 index ee1c9524aa2..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_12 +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_12,v 1.1 2013/05/03 16:48:37 drochner Exp $ - ---- xen/arch/x86/hvm/vlapic.c.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/arch/x86/hvm/vlapic.c -@@ -252,10 +252,13 @@ static void vlapic_init_sipi_action(unsi - { - case APIC_DM_INIT: { - bool_t fpu_initialised; -+ int rc; -+ - domain_lock(target->domain); - /* Reset necessary VCPU state. This does not include FPU state. */ - fpu_initialised = target->fpu_initialised; -- vcpu_reset(target); -+ rc = vcpu_reset(target); -+ ASSERT(!rc); - target->fpu_initialised = fpu_initialised; - vlapic_reset(vcpu_vlapic(target)); - domain_unlock(target->domain); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_13 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_13 deleted file mode 100644 index ced50bce346..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_13 +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_13,v 1.1 2013/05/03 16:48:37 drochner Exp $ - ---- xen/arch/x86/hvm/hvm.c.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/arch/x86/hvm/hvm.c -@@ -3083,8 +3083,11 @@ static void hvm_s3_suspend(struct domain - - for_each_vcpu ( d, v ) - { -+ int rc; -+ - vlapic_reset(vcpu_vlapic(v)); -- vcpu_reset(v); -+ rc = vcpu_reset(v); -+ ASSERT(!rc); - } - - vpic_reset(d); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_2 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_2 deleted file mode 100644 index a2bb0408b06..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_2 +++ /dev/null @@ -1,14 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_2,v 1.1 2013/05/03 16:48:37 drochner Exp $ - ---- xen/include/xen/sched.h.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/include/xen/sched.h -@@ -597,6 +597,9 @@ extern struct domain *domain_list; - /* VCPU is blocked on memory-event ring. */ - #define _VPF_mem_event 4 - #define VPF_mem_event (1UL<<_VPF_mem_event) -+ /* VCPU is being reset. */ -+#define _VPF_in_reset 7 -+#define VPF_in_reset (1UL<<_VPF_in_reset) - - static inline int vcpu_runnable(struct vcpu *v) - { diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_3 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_3 deleted file mode 100644 index 3d41c995686..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_3 +++ /dev/null @@ -1,12 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_3,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/include/asm-x86/domain.h.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/include/asm-x86/domain.h -@@ -405,6 +405,7 @@ struct arch_vcpu - pagetable_t guest_table_user; /* (MFN) x86/64 user-space pagetable */ - #endif - pagetable_t guest_table; /* (MFN) guest notion of cr3 */ -+ struct page_info *old_guest_table; /* partially destructed pagetable */ - /* guest_table holds a ref to the page, and also a type-count unless - * shadow refcounts are in use */ - pagetable_t shadow_table[4]; /* (MFN) shadow(s) of guest */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_4 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_4 deleted file mode 100644 index db172e0e5d7..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_4 +++ /dev/null @@ -1,12 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_4,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/include/asm-x86/mm.h.orig 2013-05-03 13:46:46.000000000 +0000 -+++ xen/include/asm-x86/mm.h -@@ -555,6 +555,7 @@ void audit_domains(void); - int new_guest_cr3(unsigned long pfn); - void make_cr3(struct vcpu *v, unsigned long mfn); - void update_cr3(struct vcpu *v); -+int vcpu_destroy_pagetables(struct vcpu *); - void propagate_page_fault(unsigned long addr, u16 error_code); - void *do_page_walk(struct vcpu *v, unsigned long addr); - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_5 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_5 deleted file mode 100644 index 577915c6fbb..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_5 +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_5,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/common/compat/domain.c.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/common/compat/domain.c -@@ -52,6 +52,10 @@ int compat_vcpu_op(int cmd, int vcpuid, - rc = boot_vcpu(d, vcpuid, cmp_ctxt); - domain_unlock(d); - -+ if ( rc == -EAGAIN ) -+ rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih", -+ cmd, vcpuid, arg); -+ - xfree(cmp_ctxt); - break; - } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_6 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_6 deleted file mode 100644 index d00eb72d88e..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_6 +++ /dev/null @@ -1,28 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_6,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/common/domctl.c.orig 2013-05-03 13:37:03.000000000 +0000 -+++ xen/common/domctl.c -@@ -286,8 +286,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc - - if ( guest_handle_is_null(op->u.vcpucontext.ctxt) ) - { -- vcpu_reset(v); -- ret = 0; -+ ret = vcpu_reset(v); -+ if ( ret == -EAGAIN ) -+ ret = hypercall_create_continuation( -+ __HYPERVISOR_domctl, "h", u_domctl); - goto svc_out; - } - -@@ -316,6 +318,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc - domain_pause(d); - ret = arch_set_info_guest(v, c); - domain_unpause(d); -+ -+ if ( ret == -EAGAIN ) -+ ret = hypercall_create_continuation( -+ __HYPERVISOR_domctl, "h", u_domctl); - } - - svc_out: diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_7 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_7 deleted file mode 100644 index 10c72b97f65..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_7 +++ /dev/null @@ -1,51 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_7,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/common/domain.c.orig 2013-05-03 13:28:00.000000000 +0000 -+++ xen/common/domain.c -@@ -770,14 +770,18 @@ int boot_vcpu(struct domain *d, int vcpu - return arch_set_info_guest(v, ctxt); - } - --void vcpu_reset(struct vcpu *v) -+int vcpu_reset(struct vcpu *v) - { - struct domain *d = v->domain; -+ int rc; - - vcpu_pause(v); - domain_lock(d); - -- arch_vcpu_reset(v); -+ set_bit(_VPF_in_reset, &v->pause_flags); -+ rc = arch_vcpu_reset(v); -+ if ( rc ) -+ goto out_unlock; - - set_bit(_VPF_down, &v->pause_flags); - -@@ -793,9 +797,13 @@ void vcpu_reset(struct vcpu *v) - #endif - cpus_clear(v->cpu_affinity_tmp); - clear_bit(_VPF_blocked, &v->pause_flags); -+ clear_bit(_VPF_in_reset, &v->pause_flags); - -+ out_unlock: - domain_unlock(v->domain); - vcpu_unpause(v); -+ -+ return rc; - } - - -@@ -834,6 +842,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN - domain_unlock(d); - - xfree(ctxt); -+ -+ if ( rc == -EAGAIN ) -+ rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih", -+ cmd, vcpuid, arg); -+ - break; - - case VCPUOP_up: diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_8 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_8 deleted file mode 100644 index b6c12963f12..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_8 +++ /dev/null @@ -1,48 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_8,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/arch/x86/x86_64/compat/mm.c.orig 2013-05-03 13:37:44.000000000 +0000 -+++ xen/arch/x86/x86_64/compat/mm.c -@@ -222,6 +222,13 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm - int rc = 0; - XEN_GUEST_HANDLE(mmuext_op_t) nat_ops; - -+ if ( unlikely(count == MMU_UPDATE_PREEMPTED) && -+ likely(guest_handle_is_null(cmp_uops)) ) -+ { -+ set_xen_guest_handle(nat_ops, NULL); -+ return do_mmuext_op(nat_ops, count, pdone, foreigndom); -+ } -+ - preempt_mask = count & MMU_UPDATE_PREEMPTED; - count ^= preempt_mask; - -@@ -319,17 +326,23 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm - : mcs->call.args[1]; - unsigned int left = arg1 & ~MMU_UPDATE_PREEMPTED; - -- BUG_ON(left == arg1); -+ BUG_ON(left == arg1 && left != i); - BUG_ON(left > count); - guest_handle_add_offset(nat_ops, i - left); - guest_handle_subtract_offset(cmp_uops, left); - left = 1; -- BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops, cmp_uops)); -- BUG_ON(left != arg1); -- if (!test_bit(_MCSF_in_multicall, &mcs->flags)) -- regs->_ecx += count - i; -+ if ( arg1 != MMU_UPDATE_PREEMPTED ) -+ { -+ BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops, -+ cmp_uops)); -+ if ( !test_bit(_MCSF_in_multicall, &mcs->flags) ) -+ regs->_ecx += count - i; -+ else -+ mcs->compat_call.args[1] += count - i; -+ } - else -- mcs->compat_call.args[1] += count - i; -+ BUG_ON(hypercall_xlat_continuation(&left, 0)); -+ BUG_ON(left != arg1); - } - else - BUG_ON(err > 0); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_9 b/sysutils/xenkernel41/patches/patch-CVE-2013-1918_9 deleted file mode 100644 index a07c2b1143e..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1918_9 +++ /dev/null @@ -1,593 +0,0 @@ -$NetBSD: patch-CVE-2013-1918_9,v 1.1 2013/05/03 16:48:38 drochner Exp $ - ---- xen/arch/x86/mm.c.orig 2013-05-03 13:38:09.000000000 +0000 -+++ xen/arch/x86/mm.c -@@ -1183,7 +1183,16 @@ static int put_page_from_l3e(l3_pgentry_ - #endif - - if ( unlikely(partial > 0) ) -+ { -+ ASSERT(preemptible >= 0); - return __put_page_type(l3e_get_page(l3e), preemptible); -+ } -+ -+ if ( preemptible < 0 ) -+ { -+ current->arch.old_guest_table = l3e_get_page(l3e); -+ return 0; -+ } - - return put_page_and_type_preemptible(l3e_get_page(l3e), preemptible); - } -@@ -1196,7 +1205,17 @@ static int put_page_from_l4e(l4_pgentry_ - (l4e_get_pfn(l4e) != pfn) ) - { - if ( unlikely(partial > 0) ) -+ { -+ ASSERT(preemptible >= 0); - return __put_page_type(l4e_get_page(l4e), preemptible); -+ } -+ -+ if ( preemptible < 0 ) -+ { -+ current->arch.old_guest_table = l4e_get_page(l4e); -+ return 0; -+ } -+ - return put_page_and_type_preemptible(l4e_get_page(l4e), preemptible); - } - return 1; -@@ -1486,12 +1505,17 @@ static int alloc_l3_table(struct page_in - if ( rc < 0 && rc != -EAGAIN && rc != -EINTR ) - { - MEM_LOG("Failure in alloc_l3_table: entry %d", i); -+ if ( i ) -+ { -+ page->nr_validated_ptes = i; -+ page->partial_pte = 0; -+ current->arch.old_guest_table = page; -+ } - while ( i-- > 0 ) - { - if ( !is_guest_l3_slot(i) ) - continue; - unadjust_guest_l3e(pl3e[i], d); -- put_page_from_l3e(pl3e[i], pfn, 0, 0); - } - } - -@@ -1521,22 +1545,24 @@ static int alloc_l4_table(struct page_in - page->nr_validated_ptes = i; - page->partial_pte = partial ?: 1; - } -- else if ( rc == -EINTR ) -+ else if ( rc < 0 ) - { -+ if ( rc != -EINTR ) -+ MEM_LOG("Failure in alloc_l4_table: entry %d", i); - if ( i ) - { - page->nr_validated_ptes = i; - page->partial_pte = 0; -- rc = -EAGAIN; -+ if ( rc == -EINTR ) -+ rc = -EAGAIN; -+ else -+ { -+ if ( current->arch.old_guest_table ) -+ page->nr_validated_ptes++; -+ current->arch.old_guest_table = page; -+ } - } - } -- else if ( rc < 0 ) -- { -- MEM_LOG("Failure in alloc_l4_table: entry %d", i); -- while ( i-- > 0 ) -- if ( is_guest_l4_slot(d, i) ) -- put_page_from_l4e(pl4e[i], pfn, 0, 0); -- } - if ( rc < 0 ) - return rc; - -@@ -1966,7 +1992,7 @@ static int mod_l3_entry(l3_pgentry_t *pl - pae_flush_pgd(pfn, pgentry_ptr_to_slot(pl3e), nl3e); - } - -- put_page_from_l3e(ol3e, pfn, 0, 0); -+ put_page_from_l3e(ol3e, pfn, 0, -preemptible); - return rc; - } - -@@ -2029,7 +2055,7 @@ static int mod_l4_entry(l4_pgentry_t *pl - return -EFAULT; - } - -- put_page_from_l4e(ol4e, pfn, 0, 0); -+ put_page_from_l4e(ol4e, pfn, 0, -preemptible); - return rc; - } - -@@ -2187,7 +2213,15 @@ static int alloc_page_type(struct page_i - PRtype_info ": caf=%08lx taf=%" PRtype_info, - page_to_mfn(page), get_gpfn_from_mfn(page_to_mfn(page)), - type, page->count_info, page->u.inuse.type_info); -- page->u.inuse.type_info = 0; -+ if ( page != current->arch.old_guest_table ) -+ page->u.inuse.type_info = 0; -+ else -+ { -+ ASSERT((page->u.inuse.type_info & -+ (PGT_count_mask | PGT_validated)) == 1); -+ get_page_light(page); -+ page->u.inuse.type_info |= PGT_partial; -+ } - } - else - { -@@ -2725,49 +2759,150 @@ static void put_superpage(unsigned long - - #endif - -+static int put_old_guest_table(struct vcpu *v) -+{ -+ int rc; -+ -+ if ( !v->arch.old_guest_table ) -+ return 0; -+ -+ switch ( rc = put_page_and_type_preemptible(v->arch.old_guest_table, 1) ) -+ { -+ case -EINTR: -+ case -EAGAIN: -+ return -EAGAIN; -+ } -+ -+ v->arch.old_guest_table = NULL; -+ -+ return rc; -+} -+ -+int vcpu_destroy_pagetables(struct vcpu *v) -+{ -+ unsigned long mfn = pagetable_get_pfn(v->arch.guest_table); -+ struct page_info *page; -+ int rc = put_old_guest_table(v); -+ -+ if ( rc ) -+ return rc; -+ -+#ifdef __x86_64__ -+ if ( is_pv_32on64_vcpu(v) ) -+ mfn = l4e_get_pfn(*(l4_pgentry_t *)mfn_to_virt(mfn)); -+#endif -+ -+ if ( mfn ) -+ { -+ page = mfn_to_page(mfn); -+ if ( paging_mode_refcounts(v->domain) ) -+ put_page(page); -+ else -+ rc = put_page_and_type_preemptible(page, 1); -+ } -+ -+#ifdef __x86_64__ -+ if ( is_pv_32on64_vcpu(v) ) -+ { -+ if ( !rc ) -+ l4e_write( -+ (l4_pgentry_t *)__va(pagetable_get_paddr(v->arch.guest_table)), -+ l4e_empty()); -+ } -+ else -+#endif -+ if ( !rc ) -+ { -+ v->arch.guest_table = pagetable_null(); -+ -+#ifdef __x86_64__ -+ /* Drop ref to guest_table_user (from MMUEXT_NEW_USER_BASEPTR) */ -+ mfn = pagetable_get_pfn(v->arch.guest_table_user); -+ if ( mfn ) -+ { -+ page = mfn_to_page(mfn); -+ if ( paging_mode_refcounts(v->domain) ) -+ put_page(page); -+ else -+ rc = put_page_and_type_preemptible(page, 1); -+ } -+ if ( !rc ) -+ v->arch.guest_table_user = pagetable_null(); -+#endif -+ } -+ -+ v->arch.cr3 = 0; -+ -+ return rc; -+} - - int new_guest_cr3(unsigned long mfn) - { - struct vcpu *curr = current; - struct domain *d = curr->domain; -- int okay; -+ int rc; - unsigned long old_base_mfn; - - #ifdef __x86_64__ - if ( is_pv_32on64_domain(d) ) - { -- okay = paging_mode_refcounts(d) -- ? 0 /* Old code was broken, but what should it be? */ -- : mod_l4_entry( -+ rc = paging_mode_refcounts(d) -+ ? -EINVAL /* Old code was broken, but what should it be? */ -+ : mod_l4_entry( - __va(pagetable_get_paddr(curr->arch.guest_table)), - l4e_from_pfn( - mfn, - (_PAGE_PRESENT|_PAGE_RW|_PAGE_USER|_PAGE_ACCESSED)), -- pagetable_get_pfn(curr->arch.guest_table), 0, 0, curr) == 0; -- if ( unlikely(!okay) ) -+ pagetable_get_pfn(curr->arch.guest_table), 0, 1, curr); -+ switch ( rc ) - { -+ case 0: -+ break; -+ case -EINTR: -+ case -EAGAIN: -+ return -EAGAIN; -+ default: - MEM_LOG("Error while installing new compat baseptr %lx", mfn); -- return 0; -+ return rc; - } - - invalidate_shadow_ldt(curr, 0); - write_ptbase(curr); - -- return 1; -+ return 0; - } - #endif -- okay = paging_mode_refcounts(d) -- ? get_page_from_pagenr(mfn, d) -- : !get_page_and_type_from_pagenr(mfn, PGT_root_page_table, d, 0, 0); -- if ( unlikely(!okay) ) -+ rc = put_old_guest_table(curr); -+ if ( unlikely(rc) ) -+ return rc; -+ -+ old_base_mfn = pagetable_get_pfn(curr->arch.guest_table); -+ /* -+ * This is particularly important when getting restarted after the -+ * previous attempt got preempted in the put-old-MFN phase. -+ */ -+ if ( old_base_mfn == mfn ) - { -- MEM_LOG("Error while installing new baseptr %lx", mfn); -+ write_ptbase(curr); - return 0; - } - -- invalidate_shadow_ldt(curr, 0); -+ rc = paging_mode_refcounts(d) -+ ? (get_page_from_pagenr(mfn, d) ? 0 : -EINVAL) -+ : get_page_and_type_from_pagenr(mfn, PGT_root_page_table, d, 0, 1); -+ switch ( rc ) -+ { -+ case 0: -+ break; -+ case -EINTR: -+ case -EAGAIN: -+ return -EAGAIN; -+ default: -+ MEM_LOG("Error while installing new baseptr %lx", mfn); -+ return rc; -+ } - -- old_base_mfn = pagetable_get_pfn(curr->arch.guest_table); -+ invalidate_shadow_ldt(curr, 0); - - curr->arch.guest_table = pagetable_from_pfn(mfn); - update_cr3(curr); -@@ -2776,13 +2911,25 @@ int new_guest_cr3(unsigned long mfn) - - if ( likely(old_base_mfn != 0) ) - { -+ struct page_info *page = mfn_to_page(old_base_mfn); -+ - if ( paging_mode_refcounts(d) ) -- put_page(mfn_to_page(old_base_mfn)); -+ put_page(page); - else -- put_page_and_type(mfn_to_page(old_base_mfn)); -+ switch ( rc = put_page_and_type_preemptible(page, 1) ) -+ { -+ case -EINTR: -+ rc = -EAGAIN; -+ case -EAGAIN: -+ curr->arch.old_guest_table = page; -+ break; -+ default: -+ BUG_ON(rc); -+ break; -+ } - } - -- return 1; -+ return rc; - } - - static struct domain *get_pg_owner(domid_t domid) -@@ -2911,12 +3058,29 @@ long do_mmuext_op( - unsigned int foreigndom) - { - struct mmuext_op op; -- int rc = 0, i = 0, okay; - unsigned long type; -- unsigned int done = 0; -+ unsigned int i = 0, done = 0; - struct vcpu *curr = current; - struct domain *d = curr->domain; - struct domain *pg_owner; -+ int okay, rc = put_old_guest_table(curr); -+ -+ if ( unlikely(rc) ) -+ { -+ if ( likely(rc == -EAGAIN) ) -+ rc = hypercall_create_continuation( -+ __HYPERVISOR_mmuext_op, "hihi", uops, count, pdone, -+ foreigndom); -+ return rc; -+ } -+ -+ if ( unlikely(count == MMU_UPDATE_PREEMPTED) && -+ likely(guest_handle_is_null(uops)) ) -+ { -+ /* See the curr->arch.old_guest_table related -+ * hypercall_create_continuation() below. */ -+ return (int)foreigndom; -+ } - - if ( unlikely(count & MMU_UPDATE_PREEMPTED) ) - { -@@ -2941,7 +3105,7 @@ long do_mmuext_op( - - for ( i = 0; i < count; i++ ) - { -- if ( hypercall_preempt_check() ) -+ if ( curr->arch.old_guest_table || hypercall_preempt_check() ) - { - rc = -EAGAIN; - break; -@@ -3001,21 +3165,17 @@ long do_mmuext_op( - page = mfn_to_page(mfn); - - if ( (rc = xsm_memory_pin_page(d, page)) != 0 ) -- { -- put_page_and_type(page); - okay = 0; -- break; -- } -- -- if ( unlikely(test_and_set_bit(_PGT_pinned, -- &page->u.inuse.type_info)) ) -+ else if ( unlikely(test_and_set_bit(_PGT_pinned, -+ &page->u.inuse.type_info)) ) - { - MEM_LOG("Mfn %lx already pinned", mfn); -- put_page_and_type(page); - okay = 0; -- break; - } - -+ if ( unlikely(!okay) ) -+ goto pin_drop; -+ - /* A page is dirtied when its pin status is set. */ - paging_mark_dirty(pg_owner, mfn); - -@@ -3029,7 +3189,13 @@ long do_mmuext_op( - &page->u.inuse.type_info)); - spin_unlock(&pg_owner->page_alloc_lock); - if ( drop_ref ) -- put_page_and_type(page); -+ { -+ pin_drop: -+ if ( type == PGT_l1_page_table ) -+ put_page_and_type(page); -+ else -+ curr->arch.old_guest_table = page; -+ } - } - - break; -@@ -3059,7 +3225,17 @@ long do_mmuext_op( - break; - } - -- put_page_and_type(page); -+ switch ( rc = put_page_and_type_preemptible(page, 1) ) -+ { -+ case -EINTR: -+ case -EAGAIN: -+ curr->arch.old_guest_table = page; -+ rc = 0; -+ break; -+ default: -+ BUG_ON(rc); -+ break; -+ } - put_page(page); - - /* A page is dirtied when its pin status is cleared. */ -@@ -3069,7 +3245,8 @@ long do_mmuext_op( - } - - case MMUEXT_NEW_BASEPTR: -- okay = new_guest_cr3(gmfn_to_mfn(d, op.arg1.mfn)); -+ rc = new_guest_cr3(gmfn_to_mfn(d, op.arg1.mfn)); -+ okay = !rc; - break; - - #ifdef __x86_64__ -@@ -3077,29 +3254,55 @@ long do_mmuext_op( - unsigned long old_mfn, mfn; - - mfn = gmfn_to_mfn(d, op.arg1.mfn); -+ old_mfn = pagetable_get_pfn(curr->arch.guest_table_user); -+ /* -+ * This is particularly important when getting restarted after the -+ * previous attempt got preempted in the put-old-MFN phase. -+ */ -+ if ( old_mfn == mfn ) -+ break; -+ - if ( mfn != 0 ) - { - if ( paging_mode_refcounts(d) ) - okay = get_page_from_pagenr(mfn, d); - else -- okay = !get_page_and_type_from_pagenr( -- mfn, PGT_root_page_table, d, 0, 0); -+ { -+ rc = get_page_and_type_from_pagenr( -+ mfn, PGT_root_page_table, d, 0, 1); -+ okay = !rc; -+ } - if ( unlikely(!okay) ) - { -- MEM_LOG("Error while installing new mfn %lx", mfn); -+ if ( rc == -EINTR ) -+ rc = -EAGAIN; -+ else if ( rc != -EAGAIN ) -+ MEM_LOG("Error while installing new mfn %lx", mfn); - break; - } - } - -- old_mfn = pagetable_get_pfn(curr->arch.guest_table_user); - curr->arch.guest_table_user = pagetable_from_pfn(mfn); - - if ( old_mfn != 0 ) - { -+ struct page_info *page = mfn_to_page(old_mfn); -+ - if ( paging_mode_refcounts(d) ) -- put_page(mfn_to_page(old_mfn)); -+ put_page(page); - else -- put_page_and_type(mfn_to_page(old_mfn)); -+ switch ( rc = put_page_and_type_preemptible(page, 1) ) -+ { -+ case -EINTR: -+ rc = -EAGAIN; -+ case -EAGAIN: -+ curr->arch.old_guest_table = page; -+ okay = 0; -+ break; -+ default: -+ BUG_ON(rc); -+ break; -+ } - } - - break; -@@ -3338,9 +3541,27 @@ long do_mmuext_op( - } - - if ( rc == -EAGAIN ) -+ { -+ ASSERT(i < count); - rc = hypercall_create_continuation( - __HYPERVISOR_mmuext_op, "hihi", - uops, (count - i) | MMU_UPDATE_PREEMPTED, pdone, foreigndom); -+ } -+ else if ( curr->arch.old_guest_table ) -+ { -+ XEN_GUEST_HANDLE(void) null; -+ -+ ASSERT(rc || i == count); -+ set_xen_guest_handle(null, NULL); -+ /* -+ * In order to have a way to communicate the final return value to -+ * our continuation, we pass this in place of "foreigndom", building -+ * on the fact that this argument isn't needed anymore. -+ */ -+ rc = hypercall_create_continuation( -+ __HYPERVISOR_mmuext_op, "hihi", null, -+ MMU_UPDATE_PREEMPTED, null, rc); -+ } - - put_pg_owner(pg_owner); - -@@ -3367,11 +3588,28 @@ long do_mmu_update( - void *va; - unsigned long gpfn, gmfn, mfn; - struct page_info *page; -- int rc = 0, okay = 1, i = 0; -- unsigned int cmd, done = 0, pt_dom; -- struct vcpu *v = current; -+ unsigned int cmd, i = 0, done = 0, pt_dom; -+ struct vcpu *curr = current, *v = curr; - struct domain *d = v->domain, *pt_owner = d, *pg_owner; - struct domain_mmap_cache mapcache; -+ int rc = put_old_guest_table(curr), okay = 1; -+ -+ if ( unlikely(rc) ) -+ { -+ if ( likely(rc == -EAGAIN) ) -+ rc = hypercall_create_continuation( -+ __HYPERVISOR_mmu_update, "hihi", ureqs, count, pdone, -+ foreigndom); -+ return rc; -+ } -+ -+ if ( unlikely(count == MMU_UPDATE_PREEMPTED) && -+ likely(guest_handle_is_null(ureqs)) ) -+ { -+ /* See the curr->arch.old_guest_table related -+ * hypercall_create_continuation() below. */ -+ return (int)foreigndom; -+ } - - if ( unlikely(count & MMU_UPDATE_PREEMPTED) ) - { -@@ -3420,7 +3658,7 @@ long do_mmu_update( - - for ( i = 0; i < count; i++ ) - { -- if ( hypercall_preempt_check() ) -+ if ( curr->arch.old_guest_table || hypercall_preempt_check() ) - { - rc = -EAGAIN; - break; -@@ -3685,9 +3923,27 @@ long do_mmu_update( - } - - if ( rc == -EAGAIN ) -+ { -+ ASSERT(i < count); - rc = hypercall_create_continuation( - __HYPERVISOR_mmu_update, "hihi", - ureqs, (count - i) | MMU_UPDATE_PREEMPTED, pdone, foreigndom); -+ } -+ else if ( curr->arch.old_guest_table ) -+ { -+ XEN_GUEST_HANDLE(void) null; -+ -+ ASSERT(rc || i == count); -+ set_xen_guest_handle(null, NULL); -+ /* -+ * In order to have a way to communicate the final return value to -+ * our continuation, we pass this in place of "foreigndom", building -+ * on the fact that this argument isn't needed anymore. -+ */ -+ rc = hypercall_create_continuation( -+ __HYPERVISOR_mmu_update, "hihi", null, -+ MMU_UPDATE_PREEMPTED, null, rc); -+ } - - put_pg_owner(pg_owner); - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1952 b/sysutils/xenkernel41/patches/patch-CVE-2013-1952 deleted file mode 100644 index 351bd8b5727..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1952 +++ /dev/null @@ -1,43 +0,0 @@ -$NetBSD: patch-CVE-2013-1952,v 1.1 2013/05/03 16:48:38 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-announce/2013-05/msg00001.html - ---- xen/drivers/passthrough/vtd/intremap.c.orig 2013-04-23 16:44:20.000000000 +0000 -+++ xen/drivers/passthrough/vtd/intremap.c -@@ -477,16 +477,15 @@ static void set_msi_source_id(struct pci - type = pdev_type(bus, devfn); - switch ( type ) - { -+ case DEV_TYPE_PCIe_ENDPOINT: - case DEV_TYPE_PCIe_BRIDGE: - case DEV_TYPE_PCIe2PCI_BRIDGE: -- case DEV_TYPE_LEGACY_PCI_BRIDGE: -- break; -- -- case DEV_TYPE_PCIe_ENDPOINT: - set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); - break; - - case DEV_TYPE_PCI: -+ case DEV_TYPE_LEGACY_PCI_BRIDGE: -+ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */ - ret = find_upstream_bridge(&bus, &devfn, &secbus); - if ( ret == 0 ) /* integrated PCI device */ - { -@@ -498,10 +497,15 @@ static void set_msi_source_id(struct pci - if ( pdev_type(bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) - set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, - (bus << 8) | pdev->bus); -- else if ( pdev_type(bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) -+ else - set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, - PCI_BDF2(bus, devfn)); - } -+ else -+ dprintk(XENLOG_WARNING VTDPREFIX, -+ "d%d: no upstream bridge for %02x:%02x.%u\n", -+ pdev->domain->domain_id, -+ bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); - break; - - default: diff --git a/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c b/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c index 351ff072965..6c7e278c2a2 100644 --- a/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c +++ b/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c @@ -1,8 +1,6 @@ -$NetBSD: patch-xen_arch_x86_time.c,v 1.1 2013/04/11 19:57:52 joerg Exp $ - ---- xen/arch/x86/time.c.orig 2013-03-25 14:01:22.000000000 +0000 -+++ xen/arch/x86/time.c -@@ -105,7 +105,7 @@ static inline u32 mul_frac(u32 multiplic +--- xen/arch/x86/time.c.orig 2013-09-10 06:42:18.000000000 +0000 ++++ xen/arch/x86/time.c 2013-09-11 14:30:13.000000000 +0000 +@@ -105,7 +105,7 @@ { u32 product_int, product_frac; asm ( @@ -11,7 +9,7 @@ $NetBSD: patch-xen_arch_x86_time.c,v 1.1 2013/04/11 19:57:52 joerg Exp $ : "=a" (product_frac), "=d" (product_int) : "0" (multiplicand), "r" (multiplier) ); return product_int; -@@ -129,10 +129,10 @@ static inline u64 scale_delta(u64 delta, +@@ -129,10 +129,10 @@ #ifdef CONFIG_X86_32 asm ( @@ -24,12 +22,3 @@ $NetBSD: patch-xen_arch_x86_time.c,v 1.1 2013/04/11 19:57:52 joerg Exp $ "xor %5,%5 ; " "add %4,%%eax ; " "adc %5,%%edx ; " -@@ -140,7 +140,7 @@ static inline u64 scale_delta(u64 delta, - : "a" ((u32)delta), "1" ((u32)(delta >> 32)), "2" (scale->mul_frac) ); - #else - asm ( -- "mul %2 ; shrd $32,%1,%0" -+ "mulq %2 ; shrd $32,%1,%0" - : "=a" (product), "=d" (delta) - : "rm" (delta), "0" ((u64)scale->mul_frac) ); - #endif diff --git a/sysutils/xenkernel41/patches/patch-xen_common_libelf_libelf-private.h b/sysutils/xenkernel41/patches/patch-xen_common_libelf_libelf-private.h deleted file mode 100644 index 42ae5bf395d..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_common_libelf_libelf-private.h +++ /dev/null @@ -1,10 +0,0 @@ -$NetBSD: patch-xen_common_libelf_libelf-private.h,v 1.1 2013/07/13 19:43:21 joerg Exp $ - ---- xen/common/libelf/libelf-private.h.orig 2013-07-12 18:07:36.000000000 +0000 -+++ xen/common/libelf/libelf-private.h -@@ -1,4 +1,4 @@ --#ifndef __LIBELF_PRIVATE_H__ -+#ifndef __LIBELF_PRIVATE_H_ - #define __LIBELF_PRIVATE_H_ - - #ifdef __XEN__ |